Lucene search

GoogleOSV:GHSA-FJ6F-6933-839J

HistoryMay 24, 2022 - 5:07 p.m.

Non-constant time HMAC comparison

2022-05-2417:07:40

Google

osv.dev

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

49.3%

JSON

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison when checking whether two HMACs are equal. This could potentially allow attackers to use statistical methods to obtain a valid HMAC for an attacker-controlled input value.

Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison when validating HMACs.

CPENameOperatorVersion
org.jenkins-ci.main:jenkins-coreeq2.60.3
org.jenkins-ci.main:jenkins-coreeq1.500
org.jenkins-ci.main:jenkins-coreeq1.571
org.jenkins-ci.main:jenkins-coreeq2.118
org.jenkins-ci.main:jenkins-coreeq1.622
org.jenkins-ci.main:jenkins-coreeq2.140
org.jenkins-ci.main:jenkins-coreeq2.169
org.jenkins-ci.main:jenkins-coreeq1.596.1
org.jenkins-ci.main:jenkins-coreeq1.510
org.jenkins-ci.main:jenkins-coreeq2.75

Name	Operator	Version
org.jenkins-ci.main:jenkins-core	eq	2.60.3
org.jenkins-ci.main:jenkins-core	eq	1.500
org.jenkins-ci.main:jenkins-core	eq	1.571
org.jenkins-ci.main:jenkins-core	eq	2.118
org.jenkins-ci.main:jenkins-core	eq	1.622
org.jenkins-ci.main:jenkins-core	eq	2.140
org.jenkins-ci.main:jenkins-core	eq	2.169
org.jenkins-ci.main:jenkins-core	eq	1.596.1
org.jenkins-ci.main:jenkins-core	eq	1.510
org.jenkins-ci.main:jenkins-core	eq	2.75

Rows per page:

1-10 of 5941

References

www.openwall.com/lists/oss-security/2020/01/29/1

access.redhat.com/errata/RHBA-2020:0402

access.redhat.com/errata/RHBA-2020:0675

access.redhat.com/errata/RHSA-2020:0681

access.redhat.com/errata/RHSA-2020:0683

github.com/jenkinsci/jenkins

github.com/jenkinsci/jenkins/commit/6f35dbb939ebe947bdb1979010b208480f1d0e31

jenkins.io/security/advisory/2020-01-29/#SECURITY-1660

nvd.nist.gov/vuln/detail/CVE-2020-2102

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

49.3%

JSON

Related for OSV:GHSA-FJ6F-6933-839J